Security researchers say the legitimate email is training people to have bad email hygiene.

Last week, my partner got a strange email alert from Google—or at least it looked like it came from Google.

Alarmed and confused, she immediately forwarded it to me.

“What the what?” she wrote in the email.

My partner is not a security geek like I am, and yet I had the same reaction when I saw it. Both when she forwarded it to me last week, and when I got an identical alert today.

Inspecting it more closely, I was pretty confident this was a legit Google alert. The email address of the sender is no-reply@accounts.google.com, and Gmail itself tells me it’s mailed by gaia.bounces.google.com and signed by accounts.google.com. As a security reporter, these are both signs that tell me the email is legitimate. But regular users might not know where to look for these or how to interpret them.

Still we were not the only ones baffled and a bit worried by it.

Several people on Twitter told me they felt the same when they got it: some thought it was “suspect,” or straight up a “phishing email.”

Richard De Vere, a security consultant who specializes in social engineering, said that even though the Google email we got is not a phishing attempt, it is so good at luring people to click on a link that he plans to add it to his brochure of good phishing attacks to use it in his ethical hacking engagements.

“It has urgency, guides to a login page, quite vague, but alarming...we used to take legitimate Google emails and adapt, but this is just perfect as is. [...] It’s that good,” he tweeted. “Unforgivable for Google to send this out en masse.”

In this case, according to Google, the alerts are designed to get users to go through the very useful, and user-friendly, security checkup, which helps users set up two-factor authentication, check if any old apps have access to their account, and review unusual security events such as sign-ins from new devices.

The company told me that this alert is the result of months of experiments, and this version of the alert had the best engagement (meaning people actually opened and clicked it). There are no specifics in it because the company wanted to avoid giving hackers hints about what was wrong with the account, and the company concluded that the extra click required to get to the checkup was a security feature in this case.

Harlo Holmes, a digital security trainer at the Freedom of The Press foundation, told me that the design of this email alert “reinforces” the user error of clicking on phishing links. In effect, this alert may very well be training people to click on random links sent to their emails. In this case, the email is legitimate, but that type of behavior is generally how people get phished.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Holmes stressed that when someone receives an alert like this, the right thing to do is to first “take a deep breath,” and then open a new browser window and manually type and navigate to the settings of the service in question (in this case, to myaccount.google.com/security-checkup) and see what’s going on there, without ever clicking on the link in the email.

“They are walking a fine line here: if your account is compromised, they don’t want to give your attacker too much specific info as to how,” Holmes told me in an online chat. “They just give you enough info to hopefully get your attention.”

Matt Mitchell, a security specialist who teaches regular people how to stay safe online, agreed that this alert is poorly designed.

“I am sure the now panicked user just wants to know what to do,” he told me in an online chat. “Good security begins with common sense. Users will behave badly, we need to account and plan for that.”

Google has historically been very proactive at helping users improve their security settings and alerting them of attacks on their accounts. In 2012, the company started warning users who were targets of government hacking attempts. To avoid misunderstandings, these alerts don’t come in an email, but are displayed in the browser.